”I have no idea how to make it safer”: Security and Privacy Mindsets of Browser Extension Developers (god2025)

Browser extensions are a powerful part of the Web ecosystem as they extend browser functionality and let users personalize their online experience. But with higher privileges than regular web apps, extensions bring unique security and privacy risks. Much like web applications, vulnerabilities often creep in, not just through poor implementation, but also through gaps in developer awareness and ecosystem support. In this talk, we share insights from a recent study in which we interviewed and...

Browser extensions are a powerful part of the Web ecosystem as they extend browser functionality and let users personalize their online experience. But with higher privileges than regular web apps, extensions bring unique security and privacy risks. Much like web applications, vulnerabilities often creep in, not just through poor implementation, but also through gaps in developer awareness and ecosystem support. In this talk, we share insights from a recent study in which we interviewed and observed 21 extension developers across the world [1] as they worked on security and privacy-related tasks that we designed based on our prior works and observations [2, 3]. Their live decision-making revealed common misconceptions, unexpected pain points, and ecosystemic obstacles in the extension development lifecycle. Extending beyond our published results, we plan to highlight some of the untold anecdotes, insecure development practices, their threat perception, the design-level challenges, as well as the misconceptions around them. The audience will take away the following items from the presentation/discussion: Common insecure practices in extension development. Why security ≠ privacy ≠ store compliance, as often perceived by extension developers! Hidden design gaps and loopholes in extension architecture that developers can't spot or comprehend. Anecdotes on the course of extension development in the era of LLMs. Developers, regulations (GDPR/CCPA/CRA), and a few “interesting” opinions. And, most importantly, why you should NOT give up on them just yet! :) References: [1] Agarwal, Shubham, et al. “I have no idea how to make it safer”: Studying Security and Privacy Mindsets of Browser Extension Developers. Proceedings of the 34th USENIX Security Symposium 2025. [2] Agarwal, Shubham, Aurore Fass, and Ben Stock. Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions. Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024. [3] Agarwal, Shubham. Helping or hindering? How browser extensions undermine security. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de